iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:
 Kubernetes allows containers to run with additional Linux capabilities, granting them extended privileges to perform certain operations. This check ensures that containers are not granted additional capabilities unless absolutely necessary, thus minimizing the risk of privilege escalation and reducing the attack surface.

Rationale:
 Assigning unnecessary Linux capabilities to containers can lead to security risks, such as the potential for a container to gain unauthorized access to the underlying host system or other containers. By minimizing the use of capabilities and only assigning them when necessary, the security of the Kubernetes cluster is enhanced, and the principle of least privilege is enforced.

Impact:

• Pros:
  
  

  • Reduces the risk of containers gaining unauthorized access or privileges.
    
    

  • Enhances overall cluster security by minimizing the number of granted capabilities.
    
    

  • Helps adhere to security best practices and regulatory standards.
    
    

• Cons:
  
  

  • May require modification of container configurations if capabilities are required by specific workloads.
    
    

  • Some applications may require additional capabilities to run properly.
    
    

Default Value:
 By default, Kubernetes containers do not have any additional Linux capabilities unless explicitly assigned in the pod specifications.

Pre-requisites:
 Ensure that PodSecurityPolicies (PSPs) or other admission controllers are configured to restrict the assignment of unnecessary capabilities.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.
   
   

2. Review the Pod specifications to verify that capabilities are not assigned to containers unless explicitly required for functionality.
   
   

3. Check the PodSecurityPolicies or Admission Controllers to ensure that capabilities are restricted and only allowed for trusted workloads.
   
   

Using Azure CLI:

1. Use the following command to check for the use of capabilities in your container configurations:
   

    kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.capabilities.add}'

   
   

2. Verify that the capabilities field is either not present or contains only the necessary capabilities.
   
   

3. Ensure that PodSecurityPolicies are in place to restrict the assignment of unnecessary capabilities.
   
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, navigate to your AKS cluster and review the Pod configurations.
   
   

2. Ensure that capabilities are not defined in the securityContext unless required. Modify the Pod specification to avoid assigning unnecessary capabilities.
   
   

Apply a PodSecurityPolicy that restricts the use of capabilities unless explicitly required. For example:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-capabilities
spec:
  allowedCapabilities:
    - NET_BIND_SERVICE  # Allow only necessary capabilities
  defaultAddCapabilities: []
  requiredDropCapabilities:
    - ALL  # Drop all unnecessary capabilities

3. Apply and enforce the policy to ensure that containers only use the required capabilities.
   
   

Using Azure CLI:

Edit the Pod specification YAML to remove any unnecessary capabilities from the containers:

securityContext:
  capabilities:
    drop: ["ALL"]  # Drop all capabilities
    add: ["NET_BIND_SERVICE"]  # Add only the necessary capabilities

1. Apply the updated configuration:
   

    kubectl apply -f pod-spec.yaml

   
   

To restrict capabilities using a PodSecurityPolicy, create a policy file with the following configuration:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-capabilities
spec:
  allowedCapabilities: []
  requiredDropCapabilities: ["ALL"]

2. Apply the PodSecurityPolicy using the following command:
   

    kubectl apply -f pod-security-policy.yaml

Backout Plan:

Using Azure Console:

1. If restricting capabilities causes issues with legitimate workloads, revert the changes in the Azure portal by modifying the PodSecurityPolicy or updating the container's security context to re-enable required capabilities.
   
   

Using Azure CLI:

1. Revert the Pod specification by adding back the necessary capabilities in the YAML file and applying the configuration:
   

    kubectl apply -f pod-spec.yaml

   
   

2. Revert any PodSecurityPolicy changes by deleting the policy with the following command:
    
   

   kubectl delete podsecuritypolicy restrict-capabilities

References:

1. Azure Kubernetes Service (AKS) Best Practices